Is AI HIPAA Compliant for Therapists?

What Actually Determines If You’re Protected or Exposed

Most therapists are starting to ask the same question right now: is AI HIPAA compliant?

It sounds like the right question, especially with how quickly these tools are showing up in documentation, marketing, and even clinical workflows. The problem is that the question itself is incomplete, and if you stop there, it can create a false sense of security.

AI and HIPAA is not just about what you are typing into a tool. It is about what that tool can access, what it can interact with, and how it is configured inside your practice. Once you look at it that way, it changes how you evaluate all of it.

Is “AI HIPAA Compliant?” the Right Question to Ask?

HIPAA does not certify tools. It does not label platforms as compliant or noncompliant, and it does not give blanket approval to any software just because it is widely used.

What HIPAA actually evaluates is how protected health information is handled within your practice under the HIPAA Privacy Rule. That means a tool can be capable of being used in a compliant way without automatically making every use of that tool compliant.

Two therapists can use the exact same platform and end up with very different compliance pictures. The difference is often not the tool itself. It is how the tool is being used, what information it can access, what systems it interacts with, and whether the necessary safeguards have actually been put into place.

In practical terms, that includes whether the tool is connected to systems that contain PHI, whether a Business Associate Agreement is required and in place, and whether your settings have been intentionally configured or simply left at default.

This is where assumptions can quietly replace evaluation. The question is not whether a platform says it supports HIPAA compliance. The question is whether you can clearly identify how it fits into the way protected health information is being handled within your practice.

⚠️ AI Is Not
“HIPAA Compliant”

HIPAA does not approve tools. It evaluates how protected health information is handled.

A tool can be HIPAA-capable. Your use of it is what determines compliance.

If you cannot clearly explain what the tool can access, how it is configured, and how its use is documented in your practice, then you do not have a compliance answer yet.

The Bigger Risk Most People Are Missing

A lot of the current conversation around AI focuses on prompts. People try to stay on the safe side by avoiding identifying details, assuming that if they do not enter protected health information, they are not creating risk.

The issue is that prompts are only one part of the picture.

Many AI tools now integrate with other systems or allow you to upload, store, and connect information in ways that extend far beyond a single interaction. Once a tool has access to your email, documents, or cloud storage, you are no longer just dealing with a prompt. You are dealing with a system that may be creating, receiving, maintaining, or transmitting protected health information, which falls under the requirements of the HIPAA Security Rule.

That means the compliance decision has to account for more than just what you’re typing into the tool.

How Should Therapists Evaluate AI Risk?

A more practical way to evaluate AI in your practice is to step back and look at how it functions across four areas. This is the same framework I use when walking therapists through AI risk.

Input refers to what information is being entered into the tool. Output is what the tool generates and where that information goes. Access includes any systems, files, or data the tool can interact with. Automation covers what the tool can do or trigger beyond a single prompt.

Most of the risk tends to show up in access and automation, not just input, which is why simply avoiding PHI in prompts does not fully address the issue.

AI risk evaluation framework for therapists showing four areas: input (what you enter), output (where it goes), access (what it can reach), and automation (what it can do beyond you), highlighting that most risk occurs in access and automation.

What Makes AI HIPAA Compliant for Therapists?

AI does not sit outside of HIPAA. It falls under the same expectations that apply to any system that creates, receives, maintains, or transmits protected health information. These requirements are defined under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.

From there, it becomes a question of whether your current compliance setup actually accounts for it.

At a minimum, your practice should be able to demonstrate that AI tools have been evaluated as part of your Security Risk Analysis. The requirement to identify and assess risks to protected health information, including new technologies, is established under the Security Rule at 45 CFR §164.308(a)(1)(ii)(A).

It also means that any vendor with access to PHI must be evaluated from a Business Associate standpoint, that your configuration settings are intentionally managed, and that your internal policies clearly define how these tools can and cannot be used.

Even a platform that is capable of supporting HIPAA compliance can create risk if access permissions, integrations, or data handling settings are not properly controlled. And just as importantly, anyone in your practice using these tools needs to understand those boundaries. Without that, even a well-configured system can be used in ways that create exposure.

Why Are Therapists Getting Conflicting Answers About AI and HIPAA?

Most of what’s happening right now isn’t intentional. They are coming from small gaps that add up.

Some therapists assume that paying for a higher tier of a tool automatically makes it compliant. Others believe that avoiding PHI in prompts is enough to eliminate risk. Many are connecting tools to systems like email or cloud storage without fully evaluating what access is actually being granted.

There is also a tendency to rely on vendor marketing language instead of documented safeguards, and in many cases, AI is being used without ever being addressed in a Security Risk Analysis or written policy.

Individually, these may not seem like major issues. From a compliance standpoint, they are exactly the kinds of gaps that matter.

How Can Therapists Evaluate Whether an AI Tool Creates HIPAA Risk?

If you are currently using or considering using AI in your practice, you should be able to clearly answer a few key questions.

  • What information can this tool access, directly or indirectly?
  • Where is that information stored or processed?
  • Does the vendor offer a Business Associate Agreement?
  • How is the tool configured within your systems?
  • Has this been evaluated and documented in your Security Risk Analysis?

If those answers aren’t clear, your compliance picture isn’t either. If you are not evaluating how a tool interacts with protected health information, you are missing a core requirement of HIPAA’s risk analysis standard under 45 CFR §164.308(a)(1)(ii)(A).

The Bottom Line

One thing I see regularly is that practices often feel reasonably confident about their compliance efforts until they start walking through the details of how their systems, vendors, and workflows actually function together.

That is not because anyone is intentionally cutting corners. Most therapists are trying to do the right thing with the information they have. The challenge is that compliance questions often start as operational questions, and those operational pieces are not always visible until someone takes the time to examine them closely.

AI is not changing the underlying HIPAA requirements. What it is doing is creating new opportunities to discover where existing processes have not been fully evaluated, documented, or intentionally structured.

The practices that are in the strongest position are usually not the ones avoiding technology altogether. They are the ones taking the time to understand how these tools fit into their workflows, what information they can access, and how those decisions are being documented as part of the larger compliance picture.

At the end of the day, HIPAA is less about what a practice intended to do and more about whether it can demonstrate the decisions, safeguards, and processes that support the way protected health information is being handled.

AI is moving faster than most compliance guidance, which is exactly why the responsibility falls back on the practice to evaluate, configure, and document its use appropriately. The tools will continue to evolve. The standard for compliance does not.

Stay Updated on Compliance Changes

Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.

If you want clear, practical updates you can actually use, you can join my email list below.

If You’re Using AI, This Applies to You

If you are using AI in your practice, the real question is not whether the tool is compliant. It is whether you have actually evaluated how it interacts with protected health information and documented that decision.

For a lot of practices, that step hasn’t actually been done yet.

If you want a clear way to identify where your gaps are, you can start with the free HIPAA compliance checklist here:
https://www.guardianclinicalessentials.com/get-freebies/

And if you have never completed a Security Risk Analysis or are not sure how to evaluate tools like AI within it, you can learn more here:
https://www.guardianclinicalessentials.com/hipaa-risk-assessment-therapists/

FAQs

Is AI HIPAA compliant for therapists?

It depends.
HIPAA does not certify or approve AI tools. Whether an AI tool can be used in a compliant way depends on how it is configured, what information it can access, whether appropriate safeguards are in place, and how it is being used within the practice.

Can therapists use ChatGPT for progress notes?

It depends.
The answer depends on whether protected health information is involved, how the tool is being used, and whether the necessary compliance requirements have been addressed. Many therapists focus on the note itself, but the larger question is how the information is being handled throughout the workflow.

Does a Business Associate Agreement make AI HIPAA compliant?

No.
A Business Associate Agreement may be one part of the compliance picture, but it does not automatically make a tool HIPAA compliant. Configuration, access, workflow, and risk management considerations still need to be evaluated.

Do AI tools need to be included in a HIPAA Security Risk Analysis?

Yes.
If an AI tool creates, receives, maintains, or transmits protected health information, it should be evaluated as part of the practice’s Security Risk Analysis. New technologies can introduce risks that need to be identified and assessed.

Can therapists enter client information into AI tools?

It depends.
The answer depends on the type of information being shared, the tool being used, the vendor relationship, and how the information is stored or processed. Removing a client’s name alone does not automatically eliminate HIPAA concerns.

Should therapists avoid AI altogether?

No.
AI can provide useful support in many practice operations when it is implemented thoughtfully. The goal is not avoiding technology but understanding how it affects protected health information and evaluating the risks appropriately.

Sources – Federal HIPAA Guidance

This article is based on federal HIPAA requirements and guidance from the U.S. Department of Health & Human Services.

HIPAA Privacy Rule
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

HIPAA Security Rule
https://www.hhs.gov/hipaa/for-professionals/security/index.html

HIPAA Breach Notification Rule
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Security Risk Analysis Guidance (HHS)
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

About the Author

Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™.

She helps therapists and group practices understand how compliance, documentation, privacy, technology, and practice operations work together in real-world clinical settings. Her work focuses on turning complex requirements into practical systems, policies, workflows, and implementation strategies that providers can actually use.

Drawing from experience in both clinical practice and compliance consulting, Samantha specializes in helping mental health professionals build defensible, sustainable systems that support both quality care and regulatory compliance.

Learn more about Samantha and Guardian Clinical Essentials™.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials
Related HIPAA Resources

If you want to better understand how these issues connect to your practice, these may be helpful:

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.